Deleted member 65228

Guest

HTTPS stands for Hypertext Transfer Protocol Secure. It is basically a secure variant of HTTP. When you're using HTTPS-enabled websites, you have an additional layer of encryption which is useful for... keeping confidential data better protected (e.g. when filing in payment-related forms for an online order) for one.

For example. If your home network is breached and an attacker is sniffing the network, data being sent over HTTPS encryption will be in encrypted form in the logs the attacker receives. Could be handy especially for when using public, insecure networks (e.g. when out and about - if you happen to use a laptop not always on your own network). On that note, HTTPS interception is trickier for banking malware generally but that doesn't mean it stops malware authors because it really doesn't.

It isn't a "must-have" in my opinion and it can break some websites as others have mentioned, but it can be beneficial if it works right for you. I remember it used to very popular and the popularity died down a bit but it is still a good extension. I once used it and liked it at the time, but I removed it a very long ago because I've not a need for it anymore.

Deleted member 65228

Guest

By the way just as a general note, about the encrypted traffic between the browser and the target destination... Banking malware can actually intercept SSL and this technique is known as "WebInject". The older technique for banking malware is "form-grabbing", but that only covers HTTP communication, not HTTPS. SSL data will be decrypted by the browser client post-communication, and this is where banking malware can abuse this (exploit) to retrieve the decrypted SSL data via WebInject.

Another would be messing with the certificates on the system... Some AVs do this, and it can open opportunity for a Man-In-The-Middle (MITM) attack

Deleted member 65228

Guest

100% agree, malware authors are becoming smarter and it isn't all that difficult for them to get hold of a HTTPS certificate. They can steal them from others (and have genuine ones revoked after exposure of having been stolen and used in malicious operations) or they can order one appearing as a genuine customer (or not - I guess some companies are awful with knowing the intentions or do less checks) for maybe 100 euros.

Some website hosts (or "website builders") will give out free certificates to clients which pay a bit monthly/on an annual basis, which simplifies it for the malware author.

Phishing malicious URLs are increasingly starting to use HTTPS a lot more because they know that the likelihood of trust from the target victim is increased when they see that green Secure label and the green pad-lock at the top left of the browser navigation bar, over an "Insecure" title or similar.

Level 39

This is important and yes, it totally breaks some important sites. I use it on my personal machine, but rarely deploy it beyond that because I will almost assuredly get 'this site is broke' complaints.

Level 39

By the way just as a general note, about the encrypted traffic between the browser and the target destination... Banking malware can actually intercept SSL and this technique is known as "WebInject". The older technique for banking malware is "form-grabbing", but that only covers HTTP communication, not HTTPS. SSL data will be decrypted by the browser client post-communication, and this is where banking malware can abuse this (exploit) to retrieve the decrypted SSL data via WebInject.

Another would be messing with the certificates on the system... Some AVs do this, and it can open opportunity for a Man-In-The-Middle (MITM) attack

Malware is indeed using HTTPS more than ever before, increasing by the day. This is why modern gateway appliances are all going to be required to do SSL scanning. Deep inspection takes a locally installed RCA, but normal SSL inspection doesn't. For me, HTTPS Everywhere isn't required at all since I do SSL validation at the UTM level. My Fortigate Appliance does certification/inspection/validation of SSL and non-SSL traffic in realtime. However I find some use in HTTPS Everywhere for enforcement of SSL on sites that it can be enforced on.

HTTPS for websites not designed for it (e.g. not with the manual certificate/changes to make it work) can cause problems. Which is why HTTPS Everywhere can cause breakages sometimes and likely why Google have not tried to make similar. But they do display bad certificate details in-browser and alert while blocking a load sometimes about certificates and safe connections.

Google Chrome security actually helps a lot when I'm going hunting for malicious URLs in the analysis environment. All the time it'll be alerting about certificates or it's already in the DB.

Agreed. Cert Scanning and Auth can break a LOT of things, even if it is done at the NGFW/Appliance level. We're seen Windows Updates get borked. Products like Signal Instant Messenger which uses a self-signed cert get blocked. A good amount of serious issues can result because you rely on across the board compliance from everyone and everyone isn't so you will quickly discover who isn't. Also, turning on DNSSEC will quickly show you who isn't compliant in that and you'll be turning it off in short order.

We use cookies to improve your browsing experience on our site, show personalized content and targeted ads, analyze site traffic, and understand where our audience is coming from.
By continuing to use this site, you are consenting to our use of cookies.